Bug 1230240

Summary: start-ds-admin and dirsrv-admin.service start httpd under different SELinux contexts
Product: Red Hat Directory Server Reporter: Viktor Ashirov <vashirov>
Component: AdminAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0CC: arubin, mreynolds, nhosoi, rvdwees, wibrown
Target Milestone: DS10.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-admin-1.1.44-1.el7dsrv Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-07 15:38:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1273451    
Bug Blocks:    

Description Viktor Ashirov 2015-06-10 13:25:55 UTC 
Description of problem:
start-ds-admin and dirsrv-admin.service start httpd under different SELinux contexts. This causes pidfile and socket created with different labels, which causes inability to restart Admin server from GUI Console.

/usr/sbin/start-ds-admin:
 98 if [ -z "yes" ] ; then
 99     if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
100         SELINUX_CMD="runcon -t unconfined_t --"
101     fi
102 fi
103 
104 $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"


Version-Release number of selected component (if applicable):
389-admin-1.1.42-1.el7dsrv.x86_64

How reproducible:
always

Steps to Reproduce:
1. start Admin server using start-ds-admin
2. stop Admin server
3. start Admin server using systemctl start dirsrv-admin

Actual results:
# start-ds-admin 
# ps -Zaux | grep [h]ttpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8308 0.0  0.1 165132 3028 ? Ss 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8310 0.0  0.1 165116 2104 ? S 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nobody 8311 0.0  0.3 771604 6144 ? Sl 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid


# systemctl start dirsrv-admin
# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      8226  0.0  0.1 165132  3020 ?        Ss   17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      8227  0.0  0.1 165116  2100 ?        S    17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    nobody    8228  0.0  0.3 771604  6136 ?        Sl   17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid


Expected results:
start-ds-admin should not use unconfined_t for httpd. 

Additional info:
Comment 6 Noriko Hosoi 2016-07-21 17:31:04 UTC 
*** Bug 1280259 has been marked as a duplicate of this bug. ***
Comment 8 Viktor Ashirov 2016-09-13 13:41:11 UTC 
Builds tested:
389-admin-1.1.44-1.el7dsrv.x86_64
selinux-policy-3.13.1-97.el7.noarch

[0 root@qeos-141 ~]# start-ds-admin 
[0 root@qeos-141 ~]# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      2969  0.3  0.1  39224  2712 ?        S    09:37   0:00 /usr/libexec/nss_pcache 196609 off /etc/dirsrv/admin-serv
system_u:system_r:httpd_t:s0    root      2970  0.0  0.4 171004  8880 ?        Ss   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2971  0.0  0.1 166068  2884 ?        S    09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    dirsrv    2972  0.6  0.7 777744 14028 ?        Sl   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
[0 root@qeos-141 ~]# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid



[0 root@qeos-141 ~]# systemctl start dirsrv-admin
[0 root@qeos-141 ~]# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      2969  0.0  0.1  39224  2712 ?        S    09:37   0:00 /usr/libexec/nss_pcache 196609 off /etc/dirsrv/admin-serv
system_u:system_r:httpd_t:s0    root      2970  0.0  0.4 171004  8880 ?        Ss   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2971  0.0  0.1 166068  2884 ?        S    09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    dirsrv    2972  0.0  0.7 777744 14028 ?        Sl   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
[0 root@qeos-141 ~]# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid

Marking as VERIFIED.
Comment 10 errata-xmlrpc 2016-11-07 15:38:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2665.html